October 20, 2013

Download from B-Sides DC 2013

I went to my first DC-area security con, B-Sides DC, held yesterday and today, after attending Blackhat and Defcon earlier this year. There's definitely a difference, going to a conference where you go home at night vs. one where you stay at the conference hotel and focus entirely on the con. For one thing, you can't really give 100% of your attention to the conference contests and socializing. At the end of the day, you still have to commute back home, spend time with the family and deal with your normal responsibilities. So, right off, attending Defcon was the better experience solely for this reason. On the other hand, B-Sides DC was $10 for two days of learning, and my travel costs were $12 for parking and $6-$9 for gas. Defcon still wins, because, hey - Vegas - but other than that, this was well worth my weekend.

After attending Defcon, I was asked to give some talks on what I've learned out in Vegas and I had prepared a slide deck that had several advantages. One, I got to spread the knowledge to other people. The talks I gave went from the very broad to the very technical in sharing the Blackhat/Defcon experience, and giving the talks helped to cement some of the knowledge from the whirlwind that is the con experience. So I figured I should do a brain dump of sorts of my experience at B-Sides to cement some of the stuff I learned there, and organize some of the notes I've taken, links I picked up and Twitter accounts to add. These notes are going to be rambling, and have referential information throughout that I needed to capture. I'm only making a mild effort to make complete thoughts and sentences for the reader, and may not have even come to an assessment of what was important about each talk for me to take note of.

I have in my notes that Bruce is an author - I remember him discussing that the first book he authored was with O'Reilly - I recall that SOMEONE (not necessarily Bruce) at B-Sides said that the entry point into signing up to write a book on technical subjects seemed to have a fairly low barrier and that writing a book on a subject you barely knew was not only possible, but something he had done. Now that I think on it, I believe that was @grecs instead of Bruce (whomever it was, they had written a book on 802.11 and learned the subject while writing the book).

Bruce's talk was about education, skills, the difference that IT Security is from hard sciences, refocusing of the collective to the end goals of IT Security, and in the end, getting back to the roots of InfoSec by fucking shit up. He had a lot of personal stories, but I think they were mainly to demonstrate that the path to becoming an InfoSec ninja is not a cookie-cutter career path. In my notes I have written 'R U A WIZRD'? which refers to the Rock Star Syndrome he was discussing (not by name) of our over-inflated egos of thinking we're better than we really are just because we have the special skill of understanding how the magic smoke works. He went on to rail against Certifications not necessarily being the answer to the irrelevant and outdated curriculum of university degrees in the fast paced industry of InfoSec.

Bruce also brought a three-year old to B-Sides (and told him he was about to learn some new words) - although I'm pretty sure he was being himself, and the kid had probably heard those words before (forgive me Bruce if I'm wrong). The talk was very humanizing and I think it really led to the audience being able to identify with the college-dropout, successful level 42 Wizard, author, industry leader.

In the end, though, Bruce had a point - he wanted us to try to figure out how to fix the education problem (where Youtube videos are better InfoSec teachers than instructurs), how to fix the qualifications problem (where who-you-know frequently passes for what-you-know and security certs are still testing whether you know outdated security models from the 1970s) and get to the business of ACTUALLY FIXING THE CUSTOMER'S PROBLEM - which is broken security. And he had another point - Bruce asked for people to get back to the roots of InfoSec and maybe stop being so damned gentlemanly. The bad guys aren't playing nice, and I think that he's a bit upset that everyone is being so damned nice to each other and respecting each other's boundaries at cons and other hacker battlegrounds. Probably because it's dulling our senses and our abilities as a group.

B-Sides has two talk tracks (and one education track) - and it was this talk or a talk on why your corporate password policy is weak. Since I'm already a soap-box candidate for preaching about password policies as a failed solution and I didn't want to learn what SANS 20 Security Controls were, I sat in on Michele's talk about why we'll fail the BYOD battle. Of course, I was expecting a technical talk, not a psychology talk - which is what she ended up giving. She explained the drug-like addiction properties of social media and the devices that we use, and encouraged empathy and embracing the user's wishes when it comes to BYOD [Sorry: that's Bring Your Own Device (to work) for the uninitiated]. She spoke about how Security [industry and policy] is seen as just a roadblock to users getting what they want.

My notes have three takeaways: 'Stoptional' - the optional stopping of a vehicle at a stop sign, presumably in Louisiana - a cute term someone behind me and to my right explained when comparing corporate security policy and the likelihood that your users will obey it to STOP signs and road laws. Empathy/working together - which summed up MrsYisWhy's point she wanted us to consider - key slide being 'Don't say No - say Yes, and....' (I personally prefer Yes, but... but I can see how that might make me out to be the bad guy) and www.healthyparanoia.net which appears to take me to the Packet Pushers Podcast page - a podcast I had previously been unaware of.

She then handed out T-Shirts to some random trivia questions and was upset that no one remembered that Solaris 2.6 marked the beginning of their shift to a 64-bit OS. Her personality overall, by the way, seems to match very readily to the picture she's chosen as an avatar on Twitter - a bit on the spiritual/kooky side.

@grecs' talk was full of useful information and links on Malware Analysis - a weak point for me since I haven't done much of it. Not only did I take notes, but I actually used my phone to take some [screen]shots of his talk on the projection screen that I need to transcribe later.

I think @grecs is a recovering stutterer, or is developing one - but he pushed through it fairly well and only had a few seconds of touch and go fighting it off during his speech. Talking in public is HARD, HARD, HARD for anyone - I can't imagine how much more difficult it must be when your brain just decides to lock up on you like that - not only do you feel some embarrassment, but that just adds to the problem and it can go into a death spiral...so good job pushing that stick forward and pulling out of the death spiral!

Grecs is actually a Twitter account I already follow, and I like some of the articles that recur on NOVA Infosec, his website. It appears the Malware Analysis BSides DC slide deck has already been posted there from his talk (Thanks, Dude!!!!) Also, I should thank his sponsors @BulbSecurity and @PenTestTraining for bringing him to B-Sides DC and supporting his work. It is people like @grecs who help the security industry's world go 'round and it can be hard to get paid to do work that benefits a community.

Ok - for this talk I have THREE written pages of notes that are mostly a list of tools for the various aspects of setting up a Malware Analysis Lab, the step-by-step processes and alignment of the tools to those processes and relevant training websites. Once he got going - this talk was probably the most STRUCTURED and INFORMATION DENSE talk of the conference. The slides are up on SlideShare - use the link above on his website to essentially see what I've put down in my notes. Knowing they're there - I'm not going to attempt to replicate the information here.

----Tired for now - will take a break and resume discussions of other talks later on ---------